Method and apparatus for managing backup data

ABSTRACT

A method and apparatus for managing backup data is disclosed. A data backup system defines a plurality of time windows for creating and maintaining backup data in accordance with a data backup policy. Each of the time windows is assigned a predetermined amount of storage space. When the data backup system creates backup data, the system determines whether a storage space assigned to a time window is large enough to accommodate new backup data. If the storage space is large enough, the new backup data is stored. However, if the storage space is not large enough, the system deletes the oldest backup data until enough storage space is obtained.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority from U.S. provisional application Nos. 60/541,626 filed Feb. 4, 2004 and 60/542,011 filed Feb. 5, 2004, which are incorporated by reference as if fully set forth herein.

FIELD OF INVENTION

The present invention relates to data backup. More particularly, the present invention is a method and apparatus for managing backup data.

BACKGROUND

Many schemes have been developed to protect data from accidental loss or damage. One of them is hardware redundancy schemes, such as redundant arrays of independent disks (RAID).

Unfortunately, hardware redundancy schemes are ineffective in dealing with logical data loss or corruption. For example, a file deletion or virus infection is often automatically replicated to all of the redundant hardware components and can neither be prevented nor recovered from by such technologies.

To overcome this problem, backup technologies have been developed to retain multiple versions of a production system over time. This has allowed administrators to restore previous versions of data and to recover from data corruption.

One type of data protection system involves making point in time (PIT) copies of data. A first type of PIT copy is a hardware-based PIT copy, which is a mirror of a primary volume onto a secondary volume. The main drawbacks of the hardware-based PIT copy are that the data ages quickly and that each copy takes up as much disk space as the primary volume. A software-based PIT, so called a “snapshot,” is a “picture” of a volume at the block level or a file system at the operating system level.

Backup data is generated in accordance with a data backup policy. Typically, the data backup policy sets an expiration time of each backup. For example, a system may retain all writes to the system for two days to provide any-point-in-time protection, and retain hourly snapshots for two weeks, daily snapshots for two months, and monthly snapshots for one year. Each snapshot has its own expiration time. Typically, the expiration time is determined by a main system clock. The system automatically deletes backup data upon expiration of the timer of each backup in accordance with the main system clock.

If a system operator accidentally or maliciously advances the main system clock, the system would automatically delete snapshots or a metadata timer of which is set before the accidentally or maliciously advanced time. In that situation, the system may or may not recover the deleted data.

SUMMARY

The present invention is a method and apparatus for managing backup data. A data backup system defines a plurality of time windows for creating and maintaining backup data in accordance with a data backup policy. Each of the time windows is assigned a predetermined amount of storage space. When the data backup system creates a backup data, the system determines whether a storage space assigned to a time window is large enough to accommodate the new backup data. If the storage space is large enough, the new backup data is stored, but if the storage space is not large enough, the system deletes the oldest backup data until enough storage space is obtained.

The system may assign a predetermined number of data backups to each of the time windows. Newly created backup data is stored if the number of backups does not exceed the assigned number. The system may also use an internal clock, independent from a main clock, in managing backup data.

BRIEF DESCRIPTION OF THE DRAWINGS

A more detailed understanding of the invention may be had from the following description of a preferred embodiment, given by way of example, and to be understood in conjunction with the accompanying drawings, wherein:

FIGS. 1A-1C are block diagrams of data backup system in accordance with the present invention;

FIG. 2 is a block diagram of a data protection unit in accordance with the present invention; and

FIGS. 3-5 are flow diagrams of processes for managing backup data in accordance with the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention will be described with reference to the drawing figures wherein like numerals represent like elements throughout.

FIG. 1A shows an example of a data backup system 100 that can be implemented in accordance with the present invention. The system 100 comprises a host computer 102, a primary data volume 104 (the primary data volume may also be referred to as a protected volume), a data protection unit 106, and a secondary data volume 108. The host computer 102 is coupled to the primary data volume 104 and to the data protection unit 106. The data protection unit 106 manages the secondary data volume 108, and generates and maintains backup data for data stored in the primary data volume 104. The configuration of the system 100 minimizes the lag time by writing directly to the primary data volume 104 and permits the data protection unit 106 to focus exclusively on managing the secondary data volume 108.

It should be noted that the primary data volume 104 and the secondary data volume 108 can be any type of data storage, including, but not limited to, a single disk, a disk array (such as a RAID), or a storage area network (SAN). The main difference between the primary data volume 104 and the secondary data volume 108 lies in the type of data storage device at each location. The primary volume 104 is typically an expensive, fast, and highly available storage subsystem, whereas the secondary volume 108 is typically a cost-effective, high capacity, and comparatively slow (for example, ATA/SATA disks) storage subsystem.

FIG. 1B shows an alternative example of a system 120 that can be implemented in accordance with the present invention. The host computer 102 is directly connected to the data protection unit 106, which manages both the primary data volume 104 and the secondary data volume 108. The system 120 may be slower than the system 100 described with reference to FIG. 1A, because the data protection unit 106 must manage both the primary data volume 104 and the secondary data volume 108. Although slower operation results in a higher latency for writes to the primary volume 104 in the system 120 and lowers the available bandwidth for use, such a configuration as shown in FIG. 1B may be acceptable in certain applications.

FIG. 1C shows another example of a system 140 that can be implemented in accordance with the present invention. The host computer 102 is connected to an intelligent switch 142. The switch 142 is connected to the primary data volume 104 and the data protection unit 106 which, in turn, manages the secondary data volume 108. The switch 142 includes the ability to host applications and contains some of the functionality of the data protection unit 106 in hardware, to assist in reducing system latency and improve bandwidth.

It should be noted that the configurations of the system in FIGS. 1A-1C are provided as an example. And any other configuration may be implemented, and the data protection unit 106 operates in the same manner regardless of the particular configuration of the system 100, 120, 140. The primary difference between these examples is the manner and place in which a copy of each write is obtained. To those skilled in the art, it is evident that other embodiments, such as the cooperation between a switch platform and an external server, are also feasible. Accordingly, although two data volumes are shown, a single data volume may be used. Additionally, although two data volumes may be used, they made configured such that they are stored on a single storage device.

FIG. 2 is a block diagram of the data protection unit 106 in accordance with the present invention. Backup data is generated, stored and deleted in accordance with a data backup policy. The data protection unit 106 controls generating, storing and deleting of backup data. The data protection unit 106 comprises a controller 112, and a backup data generation unit 114. Optionally, the data protection unit 106 may further comprise an internal clock 116, which will be explained in detail hereinafter.

The controller 112 provides overall control of generating, storing, and deleting backup data. The backup data generation unit 114 generates backup data, such as snapshots, under the control of the controller 112 as desired under the backup policy. The backup data is stored in a storage unit, such as a secondary volume 108. Each backup data has its own expiration time and the controller 112 deletes backup data when that expiration time has expired.

A process for managing backup data will be explained with reference to FIGS. 3-5. FIG. 3 is a flow diagram of a process 300 for managing backup data in accordance with a first embodiment of the present invention. The controller 112 defines a plurality of time windows for creating and maintaining backup data in accordance with a data backup policy (step 302). The time windows may be an hour, a day, a week, a month, a year, or any other period that fits the requirements of the system or the data administrator. For example, the controller 112 may retain all writes generated by the host computer to provide any-point-in-time (APIT) protection, and may retain hourly snapshots, daily snapshots, weekly snapshots, and monthly snapshots.

The controller 112 assigns each of the time windows a predetermined amount of storage space (step 304). For example, the controller 112 may assign 100 GB for APIT window, 100 GB for hourly snapshots, 100 GB for daily snapshots, 100 GB for weekly snapshots, and 100 GB for monthly snapshots.

The backup data generation unit 114 creates backup data under the control of the controller 112 (step 306). For example, if the data backup policy is set to retain every write operation for APIT protection, the backup data generation unit 114 duplicates every write operation in the storage space assigned to the APIT window. In storing the writes, the controller 112 determines whether the assigned storage space is large enough to store the new backup data (step 308). If there is enough assigned storage space remaining to accommodate the new backup data, the new backup data is stored (step 310). However, if the assigned storage space is not large enough, the oldest stored backup data is deleted successively in the assigned storage space until enough storage space in the assigned storage space is obtained to accommodate the newly created backup data (step 312).

As previously described with reference to the prior art, each write retained for APIT protection is deleted after a specific expiration time has passed, for example 24 hours, and the passage of time is calculated by the main system clock. In contrast, in accordance with the present invention, the writes are not deleted depending upon the passage of time, but rather depending upon space availability. This is done without regard to the status of the main system clock. In a time period wherein few writes are committed to the primary storage, the APIT window may retain a much longer period of data; whereas in a time period of very high write activity, a shorter period of data may be retained. The duration of retention is a function of the assigned storage space and frequency of write operations. With this scheme, backup data is protected from accidental or malicious adjustment of the main system clock.

FIG. 4 is a flow diagram of a process 400 for managing backup data in accordance with a second embodiment of the present invention. The process 400 is similar to process 300. In process 400, however, each time window is assigned a predetermined number of backups as explained in more detail below.

The controller 112 defines a plurality of time windows for creating and maintaining backup data in accordance with the data backup policy (step 402). The controller 112 assigns each of the time windows a predetermined number of backups (step 404). For example, the controller 112 may assign 100 backups for APIT window, 50 for hourly snapshots, 10 for daily snapshots, 10 for weekly snapshots, and 20 for monthly snapshots.

The backup data generation unit 114 creates backup data under the control of the controller 112 (step 406). For example, if the data backup policy is set to retain every write operation for APIT protection, the backup data generation unit 114 duplicates every write operation in a storage assigned to the APIT window. In storing the writes, the controller 112 determines whether the assigned number has been exceeded before storing the new backup data (step 408). If the assigned number has not been exceeded, the new backup data is stored (step 410). However, if the assigned number has been exceeded, the oldest backup data may be first deleted and the new backup data is stored (step 412). Alternatively, if the assigned number has been exceeded, generation of new backup data may be stopped, or interleaving backup data may be deleted before storing the new backup data.

As previously described with reference to the prior art, each write retained for APIT protection would typically be deleted after a certain expiration time has passed, and the passage of time is calculated in accordance with the main system clock. In contrast, in accordance with the present invention, the writes are not deleted depending upon the passage of time, but rather depending upon the available number of backups. This is done without regard to the main system clock. Therefore, in a time period wherein few writes are committed to the primary storage, the APIT window may retain a longer period of data; whereas in a time period of very high write activity, a shorter period of data may be retained. The duration of retention is a function of the assigned number and frequency of write operations. With this scheme, backup data is protected from accidental or malicious adjustment of the main system clock.

FIG. 5 is a flow diagram of a process 500 for managing backup data in accordance with a third embodiment of the present invention. In the third embodiment, an internal clock 116, (separate from the main clock in the host computer), 102 is provided in the data protection unit 106 (step 502). The internal clock 116 is a permanent clock. The internal clock 116 is set when the data protection unit 106 is initiated. As the main clock advances, the internal clock 116 advances as well. However, when the main clock is adjusted, the data protection unit 106 preferably maintains an offset between the main clock and the internal clock 116 instead of adjusting the internal clock 116.

A backup data is created in accordance with the data backup policy (step 504). The controller 112 determines whether the expiration time for a particular backup has expired in accordance with the internal clock 116 (step 506). Expired backup data is deleted (step 510) and unexpired backup data is maintained (step 508).

The data protection unit 106 deletes expired backup data in accordance with the internal clock 116, rather than the main clock. With this scheme, the data protection unit 106 may maintain the lifespan of data backups independent from an adjustment to the main clock.

Alternatively, the system may record the interval that the system has been up and adjust the internal clock by the last recorded interval. The interval is recorded on a persistent media. The internal clock may be referred to as an “uptime clock” since the internal clock in this alternative counts only the time that the system is running. When the system is recovered from shut down, the main clock and the internal clock should be reset. The internal clock is adjusted with the last recorded interval during which the system is up. With this scheme, the internal clock may not jump back or forward more than one recorded interval. As a consequence, the backup data is expired based only on the time that the system is running not counting the time that the system is down.

The foregoing embodiments may be combined with each other. For example, the data backup policy may specify that at least five (5) hourly snapshots should be taken at any given time as far as the hourly snapshots do not take more than 100 GB of storage space. The system may then take as many snapshots until the 100 GB are used up. The system may further set an expiration time for each backup data in accordance with an internal clock. Thereafter, the system may delete expired backup data even before the 100 GB limit is used up.

While specific embodiments of the present invention have been shown and described, many modifications and variations could be made by one skilled in the art without departing from the scope of the invention. The above description serves to illustrate and not limit the particular invention in any way. 

1. A method for protecting backup data stored in a data backup system, the method comprising: defining a plurality of time windows for creating and maintaining backup data in accordance with the data backup policy; assigning each of the time windows a predetermined amount of storage space; creating a backup data in accordance with a data backup policy; determining whether a storage space assigned to a time window is enough for a new backup data; and storing the new backup data if the storage space is enough, if not delete the oldest backup data until enough storage space in the assigned storage space is obtained.
 2. The method of claim 1 further comprising a step of assigning each of the time windows a predetermined number for data backups, whereby new backup data is created and maintained as far as the assigned number has not reached.
 3. The method of claim 2 further comprising a step of providing an internal clock for the data backup system independent from a main clock of a main system and setting an expiration time for each backup data, whereby the data backup system calculates the expiration time with the internal clock.
 4. A method for protecting backup data stored in a data backup system, the backup data being created in accordance with a data backup policy, the method comprising: defining a plurality of time windows for creating and maintaining backup data in accordance with the data backup policy; assigning each of the time windows a predetermined number for data backup; creating a backup data in a certain time window in accordance with a data backup policy; determining whether the number of backup data in the time window is within the assigned number; and storing the new backup data if the number of backup data in the time window is within the assigned number.
 5. The method of claim 4 wherein if the number of backup data is not within the assigned number, the oldest backup data is deleted before storing the new backup data.
 6. The method of claim 4 wherein if the number of backup data is not within the assigned number, generation of new backup data stops.
 7. The method of claim 4 wherein if the number of backup data is not within the assigned number, interleaving backup data is deleted before storing the new backup data.
 8. The method of claim 4 further comprising a step of providing an internal clock for the data backup system independent from a main clock of a main system and setting an expiration time for each backup data, whereby the data backup system calculates the expiration time with the internal clock.
 9. A method for protecting backup data stored in a data backup system, the data backup system backing up data generated by a main system, the method comprising: providing an internal clock for the data backup system independent from a main clock of the main system; creating a plurality of backup data in accordance with a data backup policy, each backup data having an expiration time to be removed from the data backup system; and removing the backup data in accordance with the internal clock regardless of the main clock.
 10. The method of claim 9 wherein an interval during which the system is up is recorded and the internal clock is reset using the last recorded interval when the system is recovered from the shut down.
 11. An apparatus for backing up data comprising: a backup data generation unit for creating a backup data in accordance with a data backup policy; a data storage for storing the backup data; and a controller for defining a plurality of time windows for creating and maintaining backup data in accordance with the data backup policy, and for assigning each of the time windows a predetermined amount of storage space, whereby a new backup data created during a particular time window is stored in a storage space assigned to the time window if the assigned storage space has not been used up, and if the assigned storage space has been used up, deleting the oldest backup data until enough storage space in the assigned storage space is obtained.
 12. The apparatus of claim 11 wherein the controller further assigns each of the time windows a predetermined number for data backups, whereby the new backup data is stored if the number of backup data in the time window is within the assigned number.
 13. The apparatus of claim 12 wherein if the number of backup data is not within the assigned number, the oldest backup data is deleted before storing the new backup data.
 14. The apparatus of claim 12 wherein if the number of backup data is not within the assigned number, generation of new backup data stops.
 15. The apparatus of claim 12 wherein if the number of backup data is not within the assigned number, interleaving backup data is deleted before storing the new backup data.
 16. The apparatus of claim 12 further comprising an internal clock independent from a main clock of a main system, whereby the controller maintains the backup data in accordance with the internal clock.
 17. The apparatus of claim 11 wherein the backup data generation unit generates a snapshot of the data.
 18. The apparatus of claim 17 wherein the snapshot is stored in a secondary storage.
 19. An apparatus for backing up data comprising: a backup data generation unit for creating a backup data in accordance with a data backup policy; a data storage for storing the backup data; and a controller for defining a plurality of time windows for creating and maintaining backup data in accordance with the data backup policy, and for assigning each of the time windows a predetermined number of data backups, whereby the controller maintains the number of backup data within the predetermined number during the corresponding time window.
 20. The apparatus of claim 19 further comprising an internal clock independent from a main clock of a main system, whereby the controller maintains the backup data in accordance with the internal clock.
 21. The apparatus of claim 19 wherein the backup data generation unit generates a snapshot of the data.
 22. The apparatus of claim 21 wherein the snapshot is stored in a secondary storage.
 23. An apparatus for backing up data comprising: a backup data generation unit for creating a backup data for backing up data generated by a main system in accordance with a data backup policy, each backup data having an expiration time to be removed; a data storage for storing the backup data; an internal clock; and a controller maintains the backup data in accordance with the internal clock independent from a main clock of the main system.
 24. The apparatus of claim 23 wherein the backup data generation unit generates a snapshot of the data.
 25. The apparatus of claim 24 wherein the snapshot is stored in a secondary storage.
 26. The apparatus of claim 25 wherein an interval during which the system is up is recorded and the internal clock is reset using the last recorded interval when the system is recovered from the shut down. 